qcacmn: Fix zero size malloc when memory debug is disabledandroid-10.0.0_r0.42android-10.0.0_r0.35android-msm-coral-4.14-android10-qpr1

In SLUB disabled builds, the qdf_mem_malloc calls the
qdf_mem_malloc_fl function which doesn't
validate if the size provided is 0 and returns the value
ZERO_SIZE_PTR(((void *)16)) for the pointer. When this pointer
is dereferenced, it causes invalid address dereference.

Validate if the size parameter provided to qdf_mem_malloc is
0 or greater than QDF_MEM_MAX_MALLOC. Return failure if the
validation fails.

Bug: 144843138
Change-Id: I8fc6bc796847e9dd3dfd5186b0386d323560d0cf
CRs-Fixed: 2571505
Signed-off-by: Sunil Ravi <sunilravi@google.com>

1 files changed, 10 insertions, 5 deletions

diff --git a/qdf/linux/src/qdf_mem.c b/qdf/linux/src/qdf_mem.c
index 39d55dbb0..b85bddfc4 100644
--- a/qdf/linux/src/qdf_mem.c
+++ b/qdf/linux/src/qdf_mem.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2019 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -48,15 +48,15 @@
 #include <net/cnss_prealloc.h>
 #endif
 
-#ifdef MEMORY_DEBUG
-#include "qdf_debug_domain.h"
-#include <qdf_list.h>
-
 /* Preprocessor Definitions and Constants */
 #define QDF_MEM_MAX_MALLOC (4096 * 1024) /* 4 Mega Bytes */
 #define QDF_MEM_WARN_THRESHOLD 300 /* ms */
 #define QDF_DEBUG_STRING_SIZE 512
 
+#ifdef MEMORY_DEBUG
+#include "qdf_debug_domain.h"
+#include <qdf_list.h>
+
 static qdf_list_t qdf_mem_domains[QDF_DEBUG_DOMAIN_COUNT];
 static qdf_spinlock_t qdf_mem_list_lock;
 
@@ -1178,6 +1178,11 @@ void *qdf_mem_malloc(size_t size)
 {
 	void *ptr;
 
+	if (!size || size > QDF_MEM_MAX_MALLOC) {
+		qdf_err("Cannot malloc %zu bytes", size);
+		return NULL;
+	}
+
 	ptr = qdf_mem_prealloc_get(size);
 	if (ptr)
 		return ptr;